Ethical and legal aspects of research data management
Research data management at KTH should be done according to the KTH guidelines on managing research data. In the guidelines, the overall legal principles for research data management are outlined. But different legal frameworks apply for different types of research data, more information can be found at this page.
If your research concerns an area that may involve indigenous rights, it is advisable to be familiar with the
CARE Principles
.
If you collect personal data, it is important to take into account principles for the protection of personal integrity and to make a careful selection of research participants with respect for fairness, in order to obtain a representative sample in your study. In many other cases where technology is developed that affects people in society, ethical risks may also arise. Certain types of research additionally require
ethical approval
.
KTH as a public authority – the principle of public access to official documents
KTH is a state university and is therefore subject to the Swedish Principle of Public Access to Official Documents. This means that research data are generally considered public records, except in cases where confidentiality applies under the Public Access to Information and Secrecy Act. Anyone requesting access to a public document has the right to have their request reviewed. Grounds for confidentiality may include, for example, that a dataset contains sensitive personal data.
Data management in research collaboration – important to clarify responsibilities
If you conduct research in collaboration with others, there are often agreements or arrangements between the collaborating partners. If your research is externally funded, requirements for data management may also be included in the funder’s terms and conditions.
When it comes to data management, it is important to clearly state which organisation is the main responsible party for the funded project, and who is responsible for managing the data during the course of the collaborative research activities. A Data Management Plan (DMP) can be a useful way to clarify and document who is responsible for handling the data. Read more on the page
Plan and document
.
In a collaboration agreement between different parties in a research project, it should also be stated when confidentiality applies to data collected or generated within the collaboration.
It should furthermore be verified who holds the rights to any intellectual property (IP), such as copyrighted material or patentable inventions. Depending on the type of data generated in the research project, other agreements, permits, or risk assessments may also be required.
Anyone handling research data should, for instance, consider whether the planned research could cause suffering or other risks to living persons or experimental animals. Such research may require ethical review. There may also be other types of risks associated with data management – for example,
export control
regulations may apply in certain cases.
Read more below about the legal frameworks that are useful for researchers to be aware of when planning and conducting research.
KTH is a government authority which means that most research data should be treated as public documents according to The Public Access to Information and Secrecy Act (Offentlighets- och sekretesslagen). In short, this means that if there are no specific reasons for secrecy, research data should be made publicly available. Secrecy may be regulated in funding agency agreements or in collaboration agreements. Acceptable reasons for secrecy in research are described in section 3.4.4 in the
KTH policy for public access to information
.
What is personal information?
All information that directly or indirectly relates to a living person.
Sensitive personal information is information regarding a person’s:
Ethnical origin
Political views
Religious or philosophical convictions
Membership in a Union
Health
Sexual life or sexual orientation
Genetic information
Biometric data that specifically identifies a unique person
Personal data can only be processed when there are lawful reasons to do so. To process personal data you must have lawful reasons to do so. Scientific research conducted at a Swedish institution for higher education can often be considered to be done in the publish interest, since those institution has a legal obligation to do research. In some cases consent can also be used, but because of the power imbalance between the research principal (the university) and the research subject, consent cannot be generally applied as a lawful reason to process personal data.
To protect personal integrity while making datasets publicly available, it is sometimes enough to pseudonymize data. However, sensitive personal information should not be published and also requires higher security in the data management process. A special impact assessment is required when sensitive personal data is involved. This is also needed in certain other cases, such as when automated decision systems based on personal data are developed or filming in public places takes place. If this applies to your research project, contact the KTH Data protection officer.
If data that includes personal information is stored outside KTH servers it is important to have a data processing agreement (DPA) with the organization(s) that store or process the data.
If a research project includes research on living/deceased human subjects or includes sensitive personal information the Ethical Review Act states that your project must be approved by the Swedish Ethical Review Authority before starting. The Swedish Ethical Review Authority currently has very little information in English on their website, but they do offer translations for some forms.
If biological material from human subjects is collected, the samples must be treated according to the Biobanks in Medical Care Act and reported to the
Swedish Bio Bank registry
.
There is no copyright for factual data/observations but copyright apply on data such as images, software code and other creative works. This means that usage of such data may require consent form the Copyright holder also for research purposes who also has the right to be contributed. The principle of public access to official records holds also for Copyright protected material and may be ordered to be made publicly available. However, the person who order the material to be publicly available cannot use the material without consent from the Copyright holder.
If you are the creator and copyright holder you can decide to share your work under an open license where you give consent for usage of your Copyright protected material. There are different types of open licenses such as Creative Commons licenses often used for texts, images and music, or other licenses used for source code or databases. You can contact KTH Library for advice on choosing a suitable license.
If considerable investments have been made to collect a large compilation of data, i.e. create a database, there may be a certain protection for the database (see 49§ Upphovsrättslagen and the EU Directive on the legal protection of databases).
It should be clearly stated in a research project agreement who owns IP that may arise in the project. The main point of view is that KTH should be responsible for research data that is produced by KTH researchers and that this data should be made available for academic use.
Patentable inventions etc. that arise as part of research or educational activities are owned by the individual researcher/teacher – “The professor’s privilege”. Data that could be a basis for patentable inventions may in agreements be protected for a limited time by secrecy.
The Archival Act regulates among other things how and what a public authority such as KTH should archive for the future world. The archive of a public authority consists of the public documents arising from the activities of the public authority. Some documentation from the research process is required to be preserved.
